Zostało do usuniecia:

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R3 – Default URLSearchHook is missing
O2 – BHO: Class – {0C3C97D9–21C6–B33B–3429–B59624FD263F} – C:\WINDOWS\system32\mssr32.dll
O2 – BHO: Class – {2CD010E8–0B89–0B57–0309–03493BE208A3} – C:\WINDOWS\system32\iejp.dll
O23 – Service: Network Security Service (NSS) ( 11F#`I) – Unknown owner – C:\WINDOWS\sdkws32.exe

Zastosowanie Silent Runners byłoby wskazane.

Zostało do usuniecia:

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R3 – Default URLSearchHook is missing
O2 – BHO: Class – {0C3C97D9–21C6–B33B–3429–B59624FD263F} – C:\WINDOWS\system32\mssr32.dll
O2 – BHO: Class – {2CD010E8–0B89–0B57–0309–03493BE208A3} – C:\WINDOWS\system32\iejp.dll
O23 – Service: Network Security Service (NSS) ( 11F#`I) – Unknown owner – C:\WINDOWS\sdkws32.exe

Zastosowanie Silent Runners byłoby wskazane.

link do spybota(jest calkowicie darmowy!)
http://www.instalki.pl/programy/download/antyspyware/SpyBot–Search&Destroy.php

czesc ! mam podobny problem co wszyscy ! oto moj log przed zmianami oraz zaraz po (ten drugi) prosze o analize bo moze cos pominalem albo nie daj Boze pojechalem za daleko :) costam pomoglo bo nie mam juz tych meczacych komunikatow ale nadal mecze sie z tapeta (zmiana!) dodatkowo padla mi kazaa (tradycyjnie przy tego typu awariach) oraz gg zglasza bledy :/ z gory dzieki !!! pilne :p


Logfile of HijackThis v1.99.1
Scan saved at 15:27:29, on 2005–09–27
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\sdkws32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\msak.exe
C:\WINDOWS\System32\ctfmon.exe
C:\winstall.exe
C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe
C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\WINDOWS\System32\taskmgr.exe
C:\winstall.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\malarz\Pulpit\pieronek\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: Class – {0C3C97D9–21C6–B33B–3429–B59624FD263F} – C:\WINDOWS\system32\mssr32.dll
O2 – BHO: Class – {2CD010E8–0B89–0B57–0309–03493BE208A3} – C:\WINDOWS\system32\iejp.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 – HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 – HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 – HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 – HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 – HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [sdkuj32.exe] C:\WINDOWS\system32\sdkuj32.exe
O4 – HKLM\..\Run: [msak.exe] C:\WINDOWS\msak.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 – HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 – HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 – Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
O8 – Extra context menu item: &Tlumacz z LING... – http://www.ling.pl/ling/def–src.php4
O8 – Extra context menu item: Download with GetRight – C:\Program Files\GetRight\GRdownload.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 – Extra context menu item: Open with GetRight Browser – C:\Program Files\GetRight\GRbrowse.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {15589FA1–C456–11CE–BF01–00AA0055595A} – http://www.nuker.com/products/swn2004/installers/default/SpyWareNukerInstaller.exe
O16 – DPF: {4C39376E–FA9D–4349–BACC–D305C1750EF3} (EPUImageControl Class) – http://tools.ebayimg.com/eps/activex/EPUWALControl_v1–0–3–18.cab
O16 – DPF: {56336BCB–3D8A–11D6–A00B–0050DA18DE71} (RdxIE Class) – http://software–dl.real.com/124f14e5febcbd19ae17/netzip/RdxIE601.cab
O16 – DPF: {5F874A6F–8B34–433D–BA4B–47AC91C0567F} (MailCfg Control) – https://poczta.wp.pl/autoryzacja/mailcfg2.ocx
O17 – HKLM\System\CCS\Services\Tcpip\..\{60CB2FC7–C005–4F71–803A–04817DB26247}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: Network Security Service (NSS) ( 11F#`I) – Unknown owner – C:\WINDOWS\sdkws32.exe
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Password Validation Service (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Creative Service for CDROM Access – Creative Technology Ltd – C:\WINDOWS\System32\CTsvcCDA.exe
O23 – Service: GhostStartService – Symantec Corporation – C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 – Service: Macromedia Licensing Service – Unknown owner – C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 – Service: Norton AntiVirus Auto Protect Service (navapsvc) – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 – Service: Norton Unerase Protection (NProtectService) – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 – Service: NVIDIA Driver Helper Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Speed Disk service – Symantec Corporation – C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

––––––––––––––––––––––––––––––––––––––––––––––––––––

aktualny
––––––––––––––––––––––––––––––––––––––––––––––––––––

Logfile of HijackThis v1.99.1
Scan saved at 17:30:53, on 2005–09–27
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sdkws32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\malarz\Pulpit\pieronek\hijack\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\trmfo.dll/sp.html#36663
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: Class – {0C3C97D9–21C6–B33B–3429–B59624FD263F} – C:\WINDOWS\system32\mssr32.dll
O2 – BHO: Class – {2CD010E8–0B89–0B57–0309–03493BE208A3} – C:\WINDOWS\system32\iejp.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 – HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 – HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 – HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 – HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 – HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800–840\DSLMON.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 – Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
O8 – Extra context menu item: &Tlumacz z LING... – http://www.ling.pl/ling/def–src.php4
O8 – Extra context menu item: Download with GetRight – C:\Program Files\GetRight\GRdownload.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 – Extra context menu item: Open with GetRight Browser – C:\Program Files\GetRight\GRbrowse.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {4C39376E–FA9D–4349–BACC–D305C1750EF3} (EPUImageControl Class) – http://tools.ebayimg.com/eps/activex/EPUWALControl_v1–0–3–18.cab
O16 – DPF: {56336BCB–3D8A–11D6–A00B–0050DA18DE71} (RdxIE Class) – http://software–dl.real.com/124f14e5febcbd19ae17/netzip/RdxIE601.cab
O16 – DPF: {5F874A6F–8B34–433D–BA4B–47AC91C0567F} (MailCfg Control) – https://poczta.wp.pl/autoryzacja/mailcfg2.ocx
O17 – HKLM\System\CCS\Services\Tcpip\..\{60CB2FC7–C005–4F71–803A–04817DB26247}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: Network Security Service (NSS) ( 11F#`I) – Unknown owner – C:\WINDOWS\sdkws32.exe
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Password Validation Service (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Creative Service for CDROM Access – Creative Technology Ltd – C:\WINDOWS\System32\CTsvcCDA.exe
O23 – Service: GhostStartService – Symantec Corporation – C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 – Service: Macromedia Licensing Service – Unknown owner – C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 – Service: Norton AntiVirus Auto Protect Service (navapsvc) – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 – Service: Norton Unerase Protection (NProtectService) – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 – Service: NVIDIA Driver Helper Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\System32\nvsvc32.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Speed Disk service – Symantec Corporation – C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

raven87, u Ciebie do usunięcia.

F2 – REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 – HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 – HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 – HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 – HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O16 – DPF: {33331111–1111–1111–1111–622221193458} – file://c:\ex.cab
O21 – SSODL: SysTray.Exiv – {2963ECFC–4E5C–2f3b–B334–D67434FC72E0} – C:\WINDOWS\System32\nkplgdik.dll (file missing)

Wszystko wykonujesz w trybie awaryjnym przy wylączonym przywracaniu systemu. Usuwasz wpisy, a wytłuszczone pliki wylatują z dysu.
Masz równieź Repsamno więc przejrzyj wcześniejsze posty opisujące jego dogłębne usuwanie.

aga19791, u Ciebie procedura podobna jak powyźej.

C:\sys212783709.exe
C:\sys212783709.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
O1 – Hosts: 127.0.0.4 n–glx.s–redirect.com
O1 – Hosts: 127.0.0.4 x.full–tgp.net
O1 – Hosts: 127.0.0.4 counter.sexmaniack.com
O1 – Hosts: 127.0.0.4 autoescrowpay.com
O1 – Hosts: 127.0.0.4 www.autoescrowpay.com
O1 – Hosts: 127.0.0.4 www.awmdabest.com
O1 – Hosts: 127.0.0.4 www.sexfiles.nu
O1 – Hosts: 127.0.0.4 awmdabest.com
O1 – Hosts: 127.0.0.4 sexfiles.nu
O1 – Hosts: 127.0.0.4 allforadult.com
O1 – Hosts: 127.0.0.4 www.allforadult.com
O1 – Hosts: 127.0.0.4 www.iframe.biz
O1 – Hosts: 127.0.0.4 iframe.biz
O1 – Hosts: 127.0.0.4 www.newiframe.biz
O1 – Hosts: 127.0.0.4 newiframe.biz
O1 – Hosts: 127.0.0.4 www.vesbiz.biz
O1 – Hosts: 127.0.0.4 vesbiz.biz
O1 – Hosts: 127.0.0.4 www.Pamela.biz
O1 – Hosts: 127.0.0.4 Pamela.biz
O1 – Hosts: 127.0.0.4 www.aaasexypics.com
O1 – Hosts: 127.0.0.4 aaasexypics.com
O1 – Hosts: 127.0.0.4 www.virgin–tgp.net
O1 – Hosts: 127.0.0.4 virgin–tgp.net
O1 – Hosts: 127.0.0.4 www.awmcash.biz
O1 – Hosts: 127.0.0.4 awmcash.biz
O1 – Hosts: 127.0.0.4 buldog–stats.com
O1 – Hosts: 127.0.0.4 www.buldog–stats.com
O1 – Hosts: 127.0.0.4 fregat.drocherway.com
O1 – Hosts: 127.0.0.4 slutmania.biz
O1 – Hosts: 127.0.0.4 www.slutmania.biz
O1 – Hosts: 127.0.0.4 toolbarpartner.com
O1 – Hosts: 127.0.0.4 www.toolbarpartner.com
O1 – Hosts: 127.0.0.4 www.megapornix.com
O1 – Hosts: 127.0.0.4 megapornix.com
O1 – Hosts: 127.0.0.4 www.sp2fucked.biz
O1 – Hosts: 127.0.0.4 sp2fucked.biz
O1 – Hosts: 127.0.0.4 greg–tut.com
O1 – Hosts: 127.0.0.4 www.greg–tut.com
O1 – Hosts: 127.0.0.4 nylonsexy.com
O1 – Hosts: 127.0.0.4 www.nylonsexy.com
O1 – Hosts: 127.0.0.4 vparivalka.com
O1 – Hosts: 127.0.0.4 www.vparivalka.com
O1 – Hosts: 127.0.0.4 iframeprofit.com
O1 – Hosts: 127.0.0.4 www.iframeprofit.com
O1 – Hosts: 127.0.0.4 topsearch10.com
O1 – Hosts: 127.0.0.4 www.topsearch10.com
O1 – Hosts: 127.0.0.4 statscash.biz
O1 – Hosts: 127.0.0.4 www.statscash.biz
O1 – Hosts: 127.0.0.4 vxiframe.biz
O1 – Hosts: 127.0.0.4 www.vxiframe.biz
O1 – Hosts: 127.0.0.4 crazy–toolbar.com
O1 – Hosts: 127.0.0.4 www.crazy–toolbar.com
O1 – Hosts: 127.0.0.4 topcash.biz
O1 – Hosts: 127.0.0.4 www.topcash.biz
O1 – Hosts: 127.0.0.4 loadcash.biz
O1 – Hosts: 127.0.0.4 www.loadcash.biz
O1 – Hosts: 127.0.0.4 txiframe.biz
O1 – Hosts: 127.0.0.4 www.txiframe.biz
O1 – Hosts: 127.0.0.4 procounter.biz
O1 – Hosts: 127.0.0.4 www.procounter.biz
O1 – Hosts: 127.0.0.4 advadmin.biz
O1 – Hosts: 127.0.0.4 www.advadmin.biz
O1 – Hosts: 127.0.0.4 trafficbest.net
O1 – Hosts: 127.0.0.4 www.trafficbest.net
O1 – Hosts: 127.0.0.4 besthvac.com
O1 – Hosts: 127.0.0.4 www.besthvac.com
O1 – Hosts: 127.0.0.4 traff4.com
O1 – Hosts: 127.0.0.4 www.traff4.com
O1 – Hosts: 127.0.0.4 ambush–script.com
O1 – Hosts: 127.0.0.4 www.ambush–script.com
O1 – Hosts: 127.0.0.4 beehappyy.biz
O1 – Hosts: 127.0.0.4 www.beehappyy.biz
O1 – Hosts: 127.0.0.4 tracktraff.cc
O1 – Hosts: 127.0.0.4 www.tracktraff.cc
O1 – Hosts: 127.0.0.4 allcount.net
O1 – Hosts: 127.0.0.4 www.allcount.net
O1 – Hosts: 127.0.0.4 onedayoffer.biz
O1 – Hosts: 127.0.0.4 www.onedayoffer.biz127.0.0.1 downloads1.kaspersky–labs.com

O2 – BHO: (no name) – {91259102–F52D–E42A–57ed–EDA392644311} – C:\WINDOWS\system32\svcpy.dll

O4 – HKLM\..\Run: [userinit] C:\WINDOWS\smss.exe
Zwróć uwage na lokalizację, prawidłowy plik siedzi w system32

O4 – HKLM\..\Run: [combop.exe] combop.exe
O4 – HKLM\..\Run: [combo.exe] combo.exe
O4 – HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 – HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 – HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O20 – Winlogon Notify: tcpG4T – tcpG4T.dll (file missing)
O21 – SSODL: System – {32F02175–2268–4368–BBE5–400ABB4F07D2} – mcsys.dll (file missing)
O21 – SSODL: SysTray.Excn – {1722ECFF–4356–4f5b–B534–E67294FE75E9} – C:\WINDOWS\system32\mkndgimg.dll (file missing)
O21 – SSODL: Internet Explorer – {F28A40D7–AD0E–034A–C651–5F0ED76232E6} – C:\WINDOWS\system32\Ffcjgh32.dll (file missing)

Zamiast Repsamo jest Haxdoor.AGG
Gdybyś usunęła wszystko i jednak to nie pomogło podajesz nowy log z Hijacka i dodatkowo ten zrobiony skryptem Silent Runners, wiecej informacji o nim znajdziesz w przyklejonym temacie w tym dziale.

@AgA przegladnij sobie ten temat i inne (uzywajac opcji szukaj) zwiazane z spysherifem
i masz mase wskazowek co robic i co usuwac

witam
mam od wczoraj to badziewie SpySheriff ,nawet nie wiedziaa co to jest,ale poczyaam troche wiadomoci na tym forum i troche mnie olsnio
tez mam niebieski ekran z napisem po rodku monitora,mam dwa czerwone krzyzyki na pasku i pokazuja mi sie co troch chmurki w rogu, i nic mi prawie nie dziaa
cigneam sobie HijackThis i oto co mi pokaza:


Logfile of HijackThis v1.99.1
Scan saved at 23:47:09, on 2005–09–26
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\system32\combop.exe
C:\WINDOWS\system32\combo.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Gadu–Gadu\gg.exe
C:\winstall.exe
C:\winstall.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\sys212783709.exe
C:\sys212783709.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\1\USTAWI~1\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = cza
O1 – Hosts: 127.0.0.4 n–glx.s–redirect.com
O1 – Hosts: 127.0.0.4 x.full–tgp.net
O1 – Hosts: 127.0.0.4 counter.sexmaniack.com
O1 – Hosts: 127.0.0.4 autoescrowpay.com
O1 – Hosts: 127.0.0.4 www.autoescrowpay.com
O1 – Hosts: 127.0.0.4 www.awmdabest.com
O1 – Hosts: 127.0.0.4 www.sexfiles.nu
O1 – Hosts: 127.0.0.4 awmdabest.com
O1 – Hosts: 127.0.0.4 sexfiles.nu
O1 – Hosts: 127.0.0.4 allforadult.com
O1 – Hosts: 127.0.0.4 www.allforadult.com
O1 – Hosts: 127.0.0.4 www.iframe.biz
O1 – Hosts: 127.0.0.4 iframe.biz
O1 – Hosts: 127.0.0.4 www.newiframe.biz
O1 – Hosts: 127.0.0.4 newiframe.biz
O1 – Hosts: 127.0.0.4 www.vesbiz.biz
O1 – Hosts: 127.0.0.4 vesbiz.biz
O1 – Hosts: 127.0.0.4 www.pizdato.biz
O1 – Hosts: 127.0.0.4 pizdato.biz
O1 – Hosts: 127.0.0.4 www.aaasexypics.com
O1 – Hosts: 127.0.0.4 aaasexypics.com
O1 – Hosts: 127.0.0.4 www.virgin–tgp.net
O1 – Hosts: 127.0.0.4 virgin–tgp.net
O1 – Hosts: 127.0.0.4 www.awmcash.biz
O1 – Hosts: 127.0.0.4 awmcash.biz
O1 – Hosts: 127.0.0.4 buldog–stats.com
O1 – Hosts: 127.0.0.4 www.buldog–stats.com
O1 – Hosts: 127.0.0.4 fregat.drocherway.com
O1 – Hosts: 127.0.0.4 slutmania.biz
O1 – Hosts: 127.0.0.4 www.slutmania.biz
O1 – Hosts: 127.0.0.4 toolbarpartner.com
O1 – Hosts: 127.0.0.4 www.toolbarpartner.com
O1 – Hosts: 127.0.0.4 www.megapornix.com
O1 – Hosts: 127.0.0.4 megapornix.com
O1 – Hosts: 127.0.0.4 www.sp2fucked.biz
O1 – Hosts: 127.0.0.4 sp2fucked.biz
O1 – Hosts: 127.0.0.4 greg–tut.com
O1 – Hosts: 127.0.0.4 www.greg–tut.com
O1 – Hosts: 127.0.0.4 nylonsexy.com
O1 – Hosts: 127.0.0.4 www.nylonsexy.com
O1 – Hosts: 127.0.0.4 vparivalka.com
O1 – Hosts: 127.0.0.4 www.vparivalka.com
O1 – Hosts: 127.0.0.4 iframeprofit.com
O1 – Hosts: 127.0.0.4 www.iframeprofit.com
O1 – Hosts: 127.0.0.4 topsearch10.com
O1 – Hosts: 127.0.0.4 www.topsearch10.com
O1 – Hosts: 127.0.0.4 statscash.biz
O1 – Hosts: 127.0.0.4 www.statscash.biz
O1 – Hosts: 127.0.0.4 vxiframe.biz
O1 – Hosts: 127.0.0.4 www.vxiframe.biz
O1 – Hosts: 127.0.0.4 crazy–toolbar.com
O1 – Hosts: 127.0.0.4 www.crazy–toolbar.com
O1 – Hosts: 127.0.0.4 topcash.biz
O1 – Hosts: 127.0.0.4 www.topcash.biz
O1 – Hosts: 127.0.0.4 loadcash.biz
O1 – Hosts: 127.0.0.4 www.loadcash.biz
O1 – Hosts: 127.0.0.4 txiframe.biz
O1 – Hosts: 127.0.0.4 www.txiframe.biz
O1 – Hosts: 127.0.0.4 procounter.biz
O1 – Hosts: 127.0.0.4 www.procounter.biz
O1 – Hosts: 127.0.0.4 advadmin.biz
O1 – Hosts: 127.0.0.4 www.advadmin.biz
O1 – Hosts: 127.0.0.4 trafficbest.net
O1 – Hosts: 127.0.0.4 www.trafficbest.net
O1 – Hosts: 127.0.0.4 besthvac.com
O1 – Hosts: 127.0.0.4 www.besthvac.com
O1 – Hosts: 127.0.0.4 traff4.com
O1 – Hosts: 127.0.0.4 www.traff4.com
O1 – Hosts: 127.0.0.4 ambush–script.com
O1 – Hosts: 127.0.0.4 www.ambush–script.com
O1 – Hosts: 127.0.0.4 beehappyy.biz
O1 – Hosts: 127.0.0.4 www.beehappyy.biz
O1 – Hosts: 127.0.0.4 tracktraff.cc
O1 – Hosts: 127.0.0.4 www.tracktraff.cc
O1 – Hosts: 127.0.0.4 allcount.net
O1 – Hosts: 127.0.0.4 www.allcount.net
O1 – Hosts: 127.0.0.4 onedayoffer.biz
O1 – Hosts: 127.0.0.4 www.onedayoffer.biz127.0.0.1 downloads1.kaspersky–labs.com
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – e:\adobe acrobat 5.05\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: (no name) – {91259102–F52D–E42A–57ed–EDA392644311} – C:\WINDOWS\system32\svcpy.dll
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 – HKLM\..\Run: [userinit] C:\WINDOWS\smss.exe
O4 – HKLM\..\Run: [combop.exe] combop.exe
O4 – HKLM\..\Run: [combo.exe] combo.exe
O4 – HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 – HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 – HKCU\..\Run: [Gadu–Gadu] "E:\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 – HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 – HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 – Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://E:\MICROS~1\Office10\Office10\EXCEL.EXE/3000
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O20 – Winlogon Notify: tcpG4T – tcpG4T.dll (file missing)
O21 – SSODL: System – {32F02175–2268–4368–BBE5–400ABB4F07D2} – mcsys.dll (file missing)
O21 – SSODL: SysTray.Excn – {1722ECFF–4356–4f5b–B534–E67294FE75E9} – C:\WINDOWS\system32\mkndgimg.dll (file missing)
O21 – SSODL: Internet Explorer – {F28A40D7–AD0E–034A–C651–5F0ED76232E6} – C:\WINDOWS\system32\Ffcjgh32.dll (file missing)
O23 – Service: NOD32 Kernel Service (NOD32krn) – Eset – C:\Program Files\Eset\nod32krn.exe
O23 – Service: NVIDIA Driver Helper Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe

prosz, pomocy,dla mnie znalezienie i zainstalowanie HijackThis to juz szcyt mozliwoci :oops: ,znalazam jeszce ukryty plik :system32
cos teraz trzeba wywali,ale co?

co ja mam dalej zrobi? jestem prosta kobiet i mam bardzooo blade pojecie o komputerze

prosze o wskazówki ,ale takie jak dla dziecka prawie,bo jestem laikiem

z góry dziekuj AgA

to samo co reszta ;/
spysheriff ;/ usuwam go itd wywalam wallpapera z rejestru ale jak uruchamiam ponownie to od poczatku to samo ;/
jak mozecie to pomozcie i powiedzcie co jak i gdzie...

#EDIT: Dobra nikt nie pomogl to sie sprezylem i sam to swinstwo wywalilem :] narqa

Logfile of HijackThis v1.99.1
Scan saved at 22:17:02, on 2005–09–26
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\autoclk.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\windows\system32\mdms.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\tool2.exe
C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Gadu–Gadu\gg.exe
C:\Documents and Settings\Crazyko\Pulpit\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 – REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 – HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 – HKLM\..\Run: [autoclk] autoclk.exe
O4 – HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 – HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 – HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 – Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O16 – DPF: {33331111–1111–1111–1111–622221193458} – file://c:\ex.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{C61922EF–5149–4E92–9537–6BEC7B6EEA8A}: NameServer = 194.204.152.34 217.98.63.164
O21 – SSODL: SysTray.Exiv – {2963ECFC–4E5C–2f3b–B334–D67434FC72E0} – C:\WINDOWS\System32\nkplgdik.dll (file missing)
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – C:\Program Files\Avast4\aswUpdSv.exe
O23 – Service: Ati HotKey Poller – Unknown owner – C:\WINDOWS\System32\Ati2evxx.exe
O23 – Service: ATI Smart – Unknown owner – C:\WINDOWS\system32\ati2sgag.exe
O23 – Service: avast! Antivirus – Unknown owner – C:\Program Files\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)

no napewno zwalnia kompa jak równieź zajmuje miejsca na dysku
tez go mialem wiec wiem:/

:x tez mam spysherif'a ale z tego co tu czytam
jedyna wyrzadzama przez niego szkoda to upierdliwe komentarze i niemozliwosc zmiany tapety.Chodzi mi o to czy nie wyrządza on szkod ciezszego kalibru ktore by bardziej utrudniaja prace na kompie??
prosze o odpowiedz

Równieź masz Repsamo, albo nie działa Ci opcja wylączenia SR ? Jeśli nie to fixy zostaw.
Pokaź lepiej co tam w logach słychać, HJT i Silent.

Witam mam ten sam problem.Idę krok po kroku tak jak w instrukcji i wszystko jest ok.W trybie awaryjnym usunąłem hijackiem to co tzreba ale jak włacze spowrotem na zwykły tryb to juź sie pojawia.A tak pozatym to co tzreba zrobić z plikiem fix.reg który wcześniej tzreba było utworzyć?Gdzieś wkleić?

dzieki wielkie za błyskawiczną odpowiedź
wszystko działa jak trzeba :]
na drugi raz lepiej przeszukam topiki ;]

Menadzera odblokujesz w ten spsoób: http://forum.centrumxp.pl/viewtopic.php?t=29728#faq25
Opcje zmiany tapety w ten sposób: http://forum.centrumxp.pl/viewtopic.php?t=37930

mam w zasadzie ten sam problem co poprzednia osoba
tyle źe za pomocą analizy ze strony hijackthis.de pousuwałem sugerowane wpisy
ale dalej pozostaly dwa objawy: po pierwsze nie moge uruchomić menedźera zadań – komunikat "menedźer został wyłączony przez administatora" oraz nie mogę ustawić tapety na pulpicie.
w obecnym logu z hijackthis analiza nic nie wykrywa groźnego. Uźyłem teź funkcji Przywracanie systemu (%systemroot%\system32\restore\rstrui.exe) ale to teź nie pomaga. Proszę o pomoc i jakieś sugestie.

obecny log

Logfile of HijackThis v1.99.1
Scan saved at 14:43:58, on 2005–08–24
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\maciek\Menu Start\Programy\Copy Handler\ch.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Gadu–Gadu\gg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
E:\Pierdoły\Spy\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: PCTools Site Guard – {5C8B2A36–3DB1–42A4–A3CB–D426709BBFEB} – C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 – BHO: PCTools Browser Monitor – {B56A7D7D–6927–48C8–A975–17DF180C71AC} – C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O3 – Toolbar: ZToolbar – {A6790AA5–C6C7–4BCF–A46D–0FDAC4EA90EB} – C:\WINDOWS\System32\ztoolb009.dll
O4 – HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 – HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [Copy handler] C:\Documents and Settings\maciek\Menu Start\Programy\Copy Handler\ch.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 – HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 – Extra context menu item: &Download with &DAP – C:\PROGRA~1\DAP\dapextie.htm
O8 – Extra context menu item: &Google Search – res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 – Extra context menu item: Backward Links – res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 – Extra context menu item: Cached Snapshot of Page – res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 – Extra context menu item: Download &all with DAP – C:\PROGRA~1\DAP\dapextie2.htm
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 – Extra context menu item: Similar Pages – res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 – Extra context menu item: Translate into English – res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\WINDOWS\System32\msjava.dll
O9 – Extra button: Spyware Doctor – {2D663D1A–8670–49D9–A1A5–4C56B4E14E84} – C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 – Extra button: ICQ – {6224f700–cba3–4071–b251–47cb894244cd} – C:\Program Files\ICQ\ICQ.exe
O9 – Extra 'Tools' menuitem: ICQ – {6224f700–cba3–4071–b251–47cb894244cd} – C:\Program Files\ICQ\ICQ.exe
O9 – Extra button: Badanie – {92780B25–18CC–41C8–B9BE–3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 – Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 – DPF: {17492023–C23A–453E–A040–C7C580BBF700} (Windows Genuine Advantage Validation Tool) – http://go.microsoft.com/fwlink/?linkid=39204
O16 – DPF: {31B7EB4E–8B4B–11D1–A789–00A0CC6651A8} (Cult3D ActiveX Player) – http://www.cult3d.com/download/cult.cab
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097189375068
O16 – DPF: {917623D1–D8E5–11D2–BE8B–00104B06BDE3} (CamImage Class) – http://217.173.193.218/activex/AxisCamControl.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O23 – Service: Ati HotKey Poller – Unknown owner – C:\WINDOWS\System32\Ati2evxx.exe
O23 – Service: ATI Smart – Unknown owner – C:\WINDOWS\system32\ati2sgag.exe
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Password Validation (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Symantec Settings Manager (ccSetMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 – Service: Loading Outpost Connections (KDE) – Unknown owner – C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 – Service: Usługa Auto Protect programu Norton AntiVirus (navapsvc) – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 – Service: Norton Unerase Protection (NProtectService) – Symantec Corporation – C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 – Service: SAVScan – Symantec Corporation – C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Symantec Network Drivers Service (SNDSrvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 – Service: Speed Disk service – Symantec Corporation – C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 – Service: SymWMI Service (SymWSC) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Włóź płytę systemową do napędu, przejdz do katalogu C:\WINDOWS\inf kliknij prawym na plik sr.inf i spod prawokliku weź zainstaluj.
Pozniej wskazesz sciezke do tego samego pliku umieszczonego na systemowym CD.
Jesli to nie pomoźe bedzie trzeba wyłączyć przywracanie bez pomocy pliku rstrui.exe
Przygotuj sobie plik rejestru reg (jak wcześniej)
Wklej do niego:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr]
"Start"=dword:00000004
"ImagePath"=hex(2):5c,53,79,73,74,65,6d,52,6f,6f,74,5c,73,79,73,74,65,6d,33,32,\
5c,44,52,49,56,45,52,53,5c,73,72,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\Parameters]
"FirstRun"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]
"Start"=dword:00000004
"ImagePath"=hex(2):5c,53,79,73,74,65,6d,52,6f,6f,74,5c,73,79,73,74,65,6d,33,32,\
5c,44,52,49,56,45,52,53,5c,73,72,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters]
"FirstRun"=dword:00000001

Tak przygotowany plik dodaj do rejestru i sprawdz czy przywracanie zostało wyłączone.
Tutaj tez masz kilka rad co do problemów z przywracaniem.
Usuniesz ustrojstwo całkowicie i pozniej bedziemy w razie czego kombinowali z przywracaniem jesli sie nie naprawi.

nie moge wylaczyc przywracanie sytemu,poniewaz wywala mi komunikat:ze nie moze odnalezc pliku systemowego(rstrui.exe).
wyszukujac ten plik w komputerze znajduje go ale nie moge wejsc w ustawienia pezywracania sytemu...
i co dalej?

Przywracanie http://forum.centrumxp.pl/viewtopic.php?t=33144
Co do rozszerzenia to w notatniku, Plik Zapisz jako Zapisz jako typ: Z listy wybierz wszystkie pliki, Nazwa pliku: fix.reg

no dobra...tak myslałam...jak mam zapisac z rozszerzeniem reg ?
i jak zablokowac przywracanie systemu?

ps.sorki za upierdliwosc?

dorotez:

no dobra jestem niewiastą...czym jest fix?

Widzisz w programie guzik z napisem FIX CHECKED ?
Zaznaczasz podane wpisy i własnie w niego klikasz.